Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent local file inclusion/traversal/manipulation #13177

Merged
merged 1 commit into from Nov 14, 2016

Conversation

Projects
None yet
2 participants
@Mark-H
Copy link
Collaborator

commented Nov 14, 2016

Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities. This requires a valid manager session and access to a media source to exploit; so this was not possible with #13175.

In this pull request the found vulnerabilities are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.

The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with ../, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.

The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.

Prevent local file inclusion/traversal/manipulation
Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities.

In this pull request those are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.

The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with `../`, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.

The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.

@Mark-H Mark-H added this to the v2.5.2 milestone Nov 14, 2016

@opengeek opengeek merged commit d3df889 into modxcms:2.5.x Nov 14, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

opengeek added a commit that referenced this pull request Nov 14, 2016

[SECURITY] Prevent local file inclusion/traversal/manipulation [#13177]
Merge remote-tracking branch 'origin/pr/13177' into 2.5.x

* origin/pr/13177:
  Prevent local file inclusion/traversal/manipulation

christianseel added a commit to christianseel/revolution that referenced this pull request Jul 7, 2017

Squashed commit of the following:
commit 7ee7c5e9130f70a0cb66680ef5a810a786372f08
Merge: 92f21fc32 f661cc68a
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jul 7 12:21:48 2017 +0200

    Refresh element in tree after changing name in element's panel

    * origin/pr/13502:
      Fixed issue #4581 #modxbughunt

commit f661cc68a38f06b695631b8d6f78edbe159cf391
Author: Julian Weaver <julian@hypo.io>
Date:   Fri Jul 7 11:04:38 2017 +0100

    Fixed issue #4581 #modxbughunt

commit 92f21fc32d45fe72bfaab5016220ce9b8574e2ba
Merge: e94f768da 3b09e1021
Author: Jan Peca <pecajan@gmail.com>
Date:   Mon Jun 19 14:30:49 2017 +0200

    Remove unused path_search and url_search processors

    * origin/pr/13433:
      Remove unused path-search and url_search processors

commit e94f768daa2d694dff210272e88225d42266a85a
Merge: c27381251 9be702ae3
Author: Jan Peca <pecajan@gmail.com>
Date:   Mon Jun 19 14:20:06 2017 +0200

    Fix logging an empty value

    * origin/pr/13445:
      Fix logging an empty value

commit c2738125126e729839d8d827facbbc6f8beb81e6
Merge: b00b5fa26 9abc9a49d
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Jun 16 11:08:37 2017 -0600

    Update xPDO to fix issue with validation classes

    Merge remote-tracking branch 'xpdo/2.5.x' into 2.5.x

    * xpdo/2.5.x:
      Add missing return statements to built-in validation classes

commit 9abc9a49d4bad258f934a8d6a28f1504d0c2659c
Merge: 397184ef4 3f6153782
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Jun 16 11:03:39 2017 -0600

    Merge remote-tracking branch 'xpdo/2.5.x' into 2.5.x

    * xpdo/2.5.x:
      Add missing return statements to built-in validation classes

commit 3f6153782dcb3fad008469b1028947132c12c878
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Jun 15 07:46:41 2017 -0600

    Add missing return statements to built-in validation classes

commit 9be702ae39c3da5a348bae028ef817a0cadeeebd
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Thu Apr 27 12:53:07 2017 +0200

    Fix logging an empty value

commit b00b5fa26e5eb618345542b3008eb63df1386d1b
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Apr 21 10:50:49 2017 -0600

    Update version for 2.5.8-dev

commit 3b09e10215dbdb0765896227a2af7c585ae6e662
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Apr 21 10:21:37 2017 -0600

    Remove unused path-search and url_search processors

commit 2ebbab1bfe950623bc72785a8d475b11f26df37e
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Apr 20 13:18:57 2017 -0600

    Update version for 2.5.7-pl release

commit cb605ee538a29b79d3a1a2a4c36c75e4af139c23
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Apr 20 12:59:52 2017 -0600

    Update lexicons from Crowdin

    Crowdin project: http://translate.modx.com
    Thanks to all translators and proofreaders for contribution!

commit 810d91fa1708b054d384494adbd0acab93568e36
Merge: 75a626d49 bb8c61599
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Apr 20 10:34:37 2017 -0600

    Try all available methods when attempting to download transport packages [#13419]

    Merge remote-tracking branch 'origin/pr/13419' into 2.5.x

    * origin/pr/13419:
      Make sure the package provider attempts different methods of download packages if one fails #13417

commit 75a626d49490ec26b60fe62dce9fb1f751abbe9a
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Apr 20 10:25:14 2017 -0600

    Update minified js

commit f1d2398afa4337a09c4be622b04919e4fc26e554
Merge: 66a125827 f3f13b77b
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Apr 20 10:17:55 2017 -0600

    Prevent stored XSS in UserGroup names and various other fields [#13418]

    Merge remote-tracking branch 'origin/pr/13418' into 2.5.x

    * origin/pr/13418:
      Use modx_charset setting instead of hardcoding UTF-8
      [SECURITY-18] Fix stored XSS in user group name, and other potential manager XSS issues

commit 66a125827d61d5cc98c06fcf08011208cba5d29a
Merge: a3f991dab e87348884
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Wed Apr 19 21:47:13 2017 +0200

    Merge remote-tracking branch 'upstream/pr/13428' into 2.5.x

    * upstream/pr/13428:
      Improve local file inclusion protections

commit a3f991dabd90acaf723c4c6ef51936d572ba5731
Author: Jason Coward <jason@opengeek.com>
Date:   Wed Apr 19 09:27:34 2017 -0600

    Prevent user/email enumeration in forgot password feature

    Addresses issue #13408

commit e87348884bb05ae25a56d320c9ccff8c08f9628d
Author: Jason Coward <jason@opengeek.com>
Date:   Wed Apr 19 08:43:10 2017 -0600

    Improve local file inclusion protections

    The existing protections would not work on Windows platforms with backslash path delimiters. This commit improves the LFI protections throughout the core to remove any sequence of 2 or more `.` characters regardless of the path delimiter that precedes or follows it.

commit f3f13b77b56025c85067b27928274e3101f4953f
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Wed Apr 19 14:28:23 2017 +0200

    Use modx_charset setting instead of hardcoding UTF-8

commit 8f137b18b08d2408e04f19ede141fe6271913147
Merge: 509e4134b 47b546774
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 18 13:38:08 2017 -0600

    Prevent XSS cache poisoning via Host header

    Merge remote-tracking branch 'origin/pr/13426' into 2.5.x

    * origin/pr/13426:
      [SECURITY-20] Prevent XSS by cache poisoning via Host header

commit 47b54677437b675decc8be7a8e090be5daca5d7f
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 18 10:58:11 2017 -0600

    [SECURITY-20] Prevent XSS by cache poisoning via Host header

commit 509e4134b0a55cea485c2aa8badfebea2b48b636
Merge: d223ec5cc 1f5199767
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Tue Apr 18 10:46:20 2017 +0200

    Proper use of json_encode and error handling for outputArray() in processors

    Merge remote-tracking branch 'upstream/pr/13389' into 2.5.x

    * upstream/pr/13389:
      create a proper json response and log errors

commit d223ec5ccf7f95d3c4721a3b6e6b74997eafc487
Merge: a1033ab67 9c49deba3
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Tue Apr 18 10:29:51 2017 +0200

    Prevent reflected XSS in setup

    Merge remote-tracking branch 'upstream/pr/13424' into 2.5.x

    * upstream/pr/13424:
      [SECURITY-20] Prevent reflected XSS in setup

commit a1033ab67bddc9d776d101bab1642a488c2ba1fd
Merge: c6323ba22 cb4c684e9
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Tue Apr 18 10:09:46 2017 +0200

    Fix local file inclusion vulnerability in setup action parameter

    Merge remote-tracking branch 'upstream/pr/13422' into 2.5.x

    * upstream/pr/13422:
      [SECURITY-20] Fix local file inclusion vulnerability in setup action parameter

commit c6323ba22312b6fac8336b50dcfce4b61e8757b2
Merge: 4aefff581 cd0955802
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Tue Apr 18 09:56:33 2017 +0200

    Remove htaccess from allowed file types on new installations

    Merge remote-tracking branch 'upstream/pr/13423' into 2.5.x

    * upstream/pr/13423:
      [SECURITY-19] Remove htaccess from allowed file types on new installations

commit 9c49deba325d0388f7980cfcb0ea31c93876e6f6
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Mon Apr 17 22:28:29 2017 +0200

    [SECURITY-20] Prevent reflected XSS in setup

    Reported via security@modx.com by Tomáš Melicher. This patch makes sure configuration values, which may be provided by an attacker, are escaped before inserting them into the database configuration form of the setup.

commit cd0955802ba49a16c206d02c9864c410f27e589d
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Mon Apr 17 22:12:54 2017 +0200

    [SECURITY-19] Remove htaccess from allowed file types on new installations

    Reported to security@modx.com by Anti Räis in ticket 19 and Tomáš Melicher in ticket 20, the ability to upload or create .htaccess files can cause code execution. Similar to how php files are not allowed out of the box, this patch prevents htaccess files by default to protect against that. Users that want to manage htaccess from the manager can still do so by editing the upload_files setting after installation.

commit cb4c684e953d9c215ddd19f358169e563b9f4019
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Mon Apr 17 21:41:50 2017 +0200

    [SECURITY-20] Fix local file inclusion vulnerability in setup action parameter

    Reported by Tomas Melicher via security@modx.com, ticket 20

commit bb8c615997c537f5e6e32ba18f44f778c147145b
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Apr 13 17:35:10 2017 +0200

    Make sure the package provider attempts different methods of download packages if one fails #13417

commit a321c4fb324679bd7672eeff2d0f505ad9ce4e05
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Apr 13 16:37:09 2017 +0200

    [SECURITY-18] Fix stored XSS in user group name, and other potential manager XSS issues

    Initial XSS report affecting the user group name and various places it gets rendered was from Anti Räis via security@modx.com, ticket 18 received April 3rd.

    During the investigation of that report I found that ExtJS components that define custom tpls need the htmlEncode filter on possibly untrusted content. So along with fixing the reported issues, I've done a quick search for similar issues and also patched the potential issues I could find.

commit 4aefff581b90fe426bcbf028a62486d51d6f78f5
Merge: ca5a9139e a490f43f4
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 11 14:45:57 2017 -0600

    Prevent stored XSS in resource pagetitle

    Merge remote-tracking branch 'origin/pr/13415' into 2.5.x

    * origin/pr/13415:
      [SECURITY-20] Prevent stored XSS in resource pagetitle

commit a490f43f4a537ce054e8cf37cee9841bcc8d688b
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Apr 11 22:00:22 2017 +0200

    [SECURITY-20] Prevent stored XSS in resource pagetitle

    Reported by Tomáš Melicher via security@modx.com, ticket 20

commit ca5a9139e33cfa494fb03eb1cf71bd2e379b341a
Merge: 9bf1c6cf7 3c7ecabff
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Sat Apr 8 21:32:48 2017 +0200

    Make search bar work as expected on Chrome & Firefox [#13405]

    Merge remote-tracking branch 'upstream/pr/13405' into 2.5.x

    * upstream/pr/13405:
      Make search bar work as expected on Chrome & Firefox

commit 9bf1c6cf7bdc12190b404f93ce7798b39c07bc59
Merge: 2e3bfe8d6 397184ef4
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 4 15:31:30 2017 -0600

    Update xPDO from 2.5.x branch to get improved escape() behavior

    Merge remote-tracking branch 'xpdo/2.5.x' into 2.5.x

    * xpdo/2.5.x:
      Remove all embedded escape characters when escape() is used on a string

commit 397184ef4118eb5ca7ef121d377aeb1160099236
Merge: 121e3c256 9ed8bfa81
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 4 15:27:05 2017 -0600

    Merge remote-tracking branch 'xpdo/2.5.x' into 2.5.x

    * xpdo/2.5.x:
      Remove all embedded escape characters when escape() is used on a string

commit 9ed8bfa81bc4846ca833698583cdffa943bea3b6
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Apr 4 15:24:22 2017 -0600

    Remove all embedded escape characters when escape() is used on a string

    This prevents SQL injection potential when a value is passed with an embedded escape character for the platform.

commit 3c7ecabffab1a72990fd2b658c4828346bf7fac9
Author: Romain Tripault <romain@melting-media.com>
Date:   Thu Mar 30 21:04:44 2017 +0200

    Make search bar work as expected on Chrome & Firefox

commit 2e3bfe8d6b616d3a832f6f80b02acdeca18c595f
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 28 08:32:34 2017 -0600

    Update version for 2.5.6-pl release

commit 174e8e0bc2205d5ffff1e08a1d12be14618f9b17
Merge: fc04d1601 6e5055a75
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 28 08:10:47 2017 -0600

    Enable Resource Group access column to be sorted (weblink, symlink, static resource)

    * origin/pr/13399:
      Enable Resource Group access column to be sorted (weblink, symlink, static resource)

commit 6e5055a75ae7d9a3084b6dd17334add6cb4456e0
Author: Mike Reid <mike@pixelchutes.com>
Date:   Mon Mar 27 16:58:45 2017 -0600

    Enable Resource Group access column to be sorted (weblink, symlink, static resource)

commit fc04d16019aef8930752937711b9a245c2dcffd3
Merge: a6a5b88e6 d76a4197e
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 27 15:36:24 2017 -0600

    Enable Resource Group access column to be sorted

    * origin/pr/13398:
      Enable Resource Group access column to be sorted

commit d76a4197e7ef710872601de590d0dcf48d5cad02
Author: Mike Reid <mike@pixelchutes.com>
Date:   Mon Mar 27 15:03:03 2017 -0600

    Enable Resource Group access column to be sorted

    - Fixes #12426 allowing sorting just like corresponding Name column
    - List active groups together at top like Plugins for convenience

commit a6a5b88e682437e191f504daff5db570b8b7aafa
Author: Jason Coward <jason@opengeek.com>
Date:   Wed Mar 22 14:07:44 2017 -0600

    Reverting changes from PR #13044

    Revert "Make sure to call processElementTags with correct $maxIterations value"

    This reverts commit e37508e9ff8701ff2752a265979982fd8911bf55.

commit cb6a438dfb735dfbb469b3eca829ab2a7eb757ff
Merge: 774718260 2572ac171
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 21:35:48 2017 -0600

    Merge pull request #13392 from opengeek/fix-parser-tests

    Comment out failing unit tests from #13044 for now

commit 2572ac171e68d136c5aa0ac94fe40eba96c72671
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 21:26:04 2017 -0600

    Comment out failing unit tests from #13044 for now

commit 7747182605e85d42e5f000884a9a4082fbc83cfc
Merge: 10738056a 16247b0c0
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 16:28:26 2017 -0600

    Fixing ‘Code: 200 OK’ message in modx-combo-country

    Merge remote-tracking branch 'origin/pr/13385' into 2.5.x

    * origin/pr/13385:
      Fixing ‘Code: 200 OK’ message in modx-combo-country

commit 10738056a7c1ed6e5fd621983e993041777f48bd
Merge: 3c9e6c5ef 9ae93f9c5
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 16:18:49 2017 -0600

    Prevent warning from array_key_exists when aliasMap not available

    Merge remote-tracking branch 'origin/pr/13297' into 2.5.x

    * origin/pr/13297:
      Fix array_key_exists PHP warning Avoid the following errors in the MODX error log `PHP warning: array_key_exists() expects parameter 2 to be array, null given` when the aliasMap is not available.

commit 3c9e6c5ef0bc4caed7b398e53ef057c82b2dc25e
Merge: 8b730e1d8 ab3f1fe12
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 16:16:06 2017 -0600

    Fix broken images in File tree when media source above doc root

    Merge remote-tracking branch 'origin/pr/13293' into 2.5.x

    * origin/pr/13293:
      added missing modauth for modxcms/revolution#13292
      fix for modxcms/revolution#13292

commit 8b730e1d8d317f6629e07a991d787167994c5bd9
Merge: 0ce204211 9310f4103
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 15:47:31 2017 -0600

    Encode HTML in the template description to prevent potential XSS

    Merge remote-tracking branch 'origin/pr/13291' into 2.5.x

    * origin/pr/13291:
      Encode HTML in the template description to prevent potential XSS [#13290]

commit 0ce20421188a9983eb5771c503e2ebb3390ad960
Merge: d41d47539 4ea062246
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 21 15:43:30 2017 -0600

    Call processElementTags with correct $maxIterations value on nested inner tags

    Merge remote-tracking branch 'origin/pr/13044' into 2.5.x

    * origin/pr/13044:
      revert last commit
      try to use `isRemovingUnprocessed` directly
      Make sure to call processElementTags with correct $maxIterations value

commit d41d47539d3b544563c3968a1e799e49b3330baf
Merge: e10b418c7 0e04b015b
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 20 16:47:39 2017 -0600

    Use (but limit) setting for results per page in package management grid

    * origin/pr/13348:
      remove extraneous variable
      change math logic to limit system setting in package grid
      use system default per page on package management grid, up to a limit
      Remove override of results per page in package management grid (fixes #12518 #modxbughunt)

commit e10b418c79fcd6bc00d46380ce3ce7bcb6a061db
Merge: 21d17020b 8c48b9255
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 20 16:45:12 2017 -0600

    Added validation for min and max length of text TV configuration

    * origin/pr/13365:
      #9039 Added validation for min and max length of field #modxbughunt

commit 21d17020b9367472195d8a35236a95e9833f5258
Merge: 56e44fe70 6f768e158
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 20 16:38:19 2017 -0600

    Allow value '0' for multi select TV items

    Merge remote-tracking branch 'origin/pr/13369' into 2.5.x

    * origin/pr/13369:
      Fix #9492 Allow value ‘0’ for multi select TV items (checkbox/listbox)

commit 56e44fe703f571fa6a6ffef610c30491db0dc0a7
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 20 16:14:41 2017 -0600

    Stick to PHPUNIT 5.7 for PHP 7.0+
    Added PHP 7.1 & 7.2 (nightly) to tests too

commit f355203d2531a0011ec6c9311049a3a3097346a3
Merge: 98a7a7d20 75bd217a2
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Mar 20 15:45:56 2017 -0600

    Fix "undefined" on package management breadcrumb when updating

    * origin/pr/13374:
      Fix #12567 - Install "undefined" on package management breadcrumb when updating

commit 1f519976777052a1b299e353d9395efc8949d858
Author: Christian Seel <cs@seda.digital>
Date:   Mon Mar 20 18:51:48 2017 +0100

    create a proper json response and log errors

commit 16247b0c0ceadf89c7a5d98e55c4e940b75cb83f
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Mar 13 11:58:20 2017 +0100

    Fixing ‘Code: 200 OK’ message in modx-combo-country

commit 0e04b015b6d057a1384557bdb881c5feae43b8a2
Author: Mike Schell <mike@webprogramming.ca>
Date:   Wed Mar 8 23:27:24 2017 -0500

    remove extraneous variable

commit 98a7a7d20f29d79aaefb18204e6a214b90cd48d8
Merge: 01e789701 6991df55b
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Mar 7 14:30:35 2017 -0700

    Reduce log level to INFO for links not found by modContext->makeUrl()

    Merge remote-tracking branch 'origin/pr/13305' into 2.5.x

    * origin/pr/13305:
      Lower log level for 'resource with id not found in context' to info [#13278]

commit 75bd217a2010616b605378f4423a3b19d2cb9c3d
Author: Joeke Kloosterman <joeke@sterc.nl>
Date:   Mon Mar 6 22:27:02 2017 +0100

    Fix #12567 - Install "undefined" on package management breadcrumb when updating

commit 6f768e15837ab09eeb2e772f64c17aa6494b0a2b
Author: Joeke Kloosterman <joeke@sterc.nl>
Date:   Mon Mar 6 08:13:23 2017 +0100

    Fix #9492 Allow value ‘0’ for multi select TV items (checkbox/listbox)

commit 01e7897013b5872a532f2cdfb29a474523c8e3e4
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Mar 3 16:30:21 2017 -0700

    Grunt build update to manager/assets/modext/modx.jsgrps-min.js

commit 186fbe8cffb147de0a4c89f339e9abf748b2be18
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Mar 3 16:12:53 2017 -0700

    Update version for 2.5.6-dev

commit a874ab189798677d99a5dd9441408184d2097f80
Merge: 14755a211 36721260e
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 21:12:07 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13364' into 2.5.x

    * upstream/pr/13364:
      Fixed issue #12714 #modxbughunt

commit 14755a2117649e0c44f68d989b6f71bbe07d1951
Merge: e5744b97d c7a4dc5f7
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 21:05:31 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13362' into 2.5.x

    * upstream/pr/13362:
      Fixed #12417 #modxbughunt - please specify a valid directory error

commit 8c48b9255845b0872d0287e72c7a5d95cce0a704
Author: Ivan Klimchuk <klimchuk@1pt.com>
Date:   Fri Mar 3 23:00:53 2017 +0300

    #9039 Added validation for min and max length of field #modxbughunt

commit e5744b97d843349a7e9880cb512096fbceae6678
Merge: 1ead28c7a f26d52ec7
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 20:55:39 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13361' into 2.5.x

    * upstream/pr/13361:
      Bug #13309 Help pages shows old documentation-link

commit 36721260e5c441e89a6d077076cd60f8270b387f
Author: Pien van Dalen <pien@sterc.nl>
Date:   Fri Mar 3 20:40:15 2017 +0100

    Fixed issue #12714 #modxbughunt

commit c7a4dc5f7842f011be52702a8cfa30a8f5fd92d1
Author: sander <sander@sterc.nl>
Date:   Fri Mar 3 20:34:19 2017 +0100

    Fixed #12417 #modxbughunt - please specify a valid directory error

commit 1ead28c7af6dc6b9bb37f889bbe57e621ed76306
Author: Sytske Haagsma <sytske@sterc.nl>
Date:   Fri Mar 3 19:17:43 2017 +0100

    Fixed that you cannot edit the pagetitle on doubleclick in recent dashboard widget #modxbughunt

commit d1d15f466ced1b833c1be9feca587554320625ca
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Feb 9 19:33:23 2017 +0100

    Fix issue deleting resource from resource groups tree if it is in multiple groups (#12842)

commit 1fe58fb8efb935074434147d2c67a9196a44b519
Merge: 2b765f062 3cfe92640
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 20:00:24 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13357' into 2.5.x

    * upstream/pr/13357:
      Tree context and Context grid working together in UI 12495 #modxbughunt

commit 2b765f06270243a607b3e5ebd0efca7600a894d1
Merge: cb88bddbe b37c9d806
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 19:35:47 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13347' into 2.5.x

    * upstream/pr/13347:
      stop generating a context cache twice

commit cb88bddbed22c8522c20b5189963b6e0e65c7b7b
Merge: 1d9ffa0c7 49922a876
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 19:25:27 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13346' into 2.5.x

    * upstream/pr/13346:
      Tidy up code
      If TV identifier is numeric, assume it is a mis-cast ID (and not the name of a TV)

commit 1d9ffa0c72f8a440912819d0c0de1a15f16d625c
Author: OptimusCrime <thomasgautv@hotmail.com>
Date:   Fri Mar 3 17:58:19 2017 +0100

    Validate chmod input

commit 3cfe9264092c04586ca5c974a4a26b7dc2b6e88b
Author: Oetzie <info@oetzie.nl>
Date:   Fri Mar 3 18:58:03 2017 +0100

    Tree context and Context grid working together in UI 12495 #modxbughunt

commit 6266696862912627968ef48f7955d199aecee688
Author: Mike Schell <mike@webprogramming.ca>
Date:   Fri Mar 3 12:25:20 2017 -0500

    change math logic to limit system setting in package grid

commit 39d4295c2ee404fc190561d045732e7923a24935
Merge: e4528e2dc cab71a5f9
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 18:05:00 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13349' into 2.5.x

    * upstream/pr/13349:
      Fixed issue #13165 Moving directories up/down adds dir as a subdirectory #modxbughunt

commit 49922a876bd072066cc000fc20a63814805bdcff
Author: Peter Bowyer <peter@mapledesign.co.uk>
Date:   Fri Mar 3 16:55:51 2017 +0000

    Tidy up code

commit cab71a5f97ede3761cd717f04ea9e099217f86da
Author: Lars Bratke <bratke@buntebrause.de>
Date:   Fri Mar 3 17:12:35 2017 +0100

    Fixed issue #13165 Moving directories up/down adds dir as a subdirectory #modxbughunt

commit e4528e2dc36527d6bc09535ca8b59ce29a76875f
Merge: e333b9be6 970e2f20a
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 17:00:10 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13342' into 2.5.x

    * upstream/pr/13342:
      Removed the extra scrollbar and white spaces of the MODX help window #13309 #modxbughunt

commit b37c9d806cf227b2111bc4d21abb19fe1ed801d7
Author: Christian Seel <cs@seda.digital>
Date:   Fri Mar 3 16:57:16 2017 +0100

    stop generating a context cache twice

commit e333b9be64cfa448769d5dc663fa37a4f730d598
Merge: 279e3bb4f 2820be5e7
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 16:55:31 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13341' into 2.5.x

    * upstream/pr/13341:
      very basic try to fix #12380 #modbughunt.

commit d9ffca5683a87f47e23a12a10e6b207b9f3cbf32
Author: Peter Bowyer <peter@mapledesign.co.uk>
Date:   Fri Mar 3 15:52:47 2017 +0000

    If TV identifier is numeric, assume it is a mis-cast ID (and not the name of a TV)

commit 279e3bb4f6f900c16463318dd1d85c3ef2aa53d1
Merge: 0bf5f6166 bec44f9f9
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 16:49:58 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13340' into 2.5.x

    Avoid duplication of modLexiconEntry objects when updating context settings

    * upstream/pr/13340:
      Fixed issue #12823 #modxbughunt

commit 0bf5f61663de8f44f04d25ac5593914210e2340a
Merge: 97c7d26fa 605dbef3f
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 16:41:25 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13334' into 2.5.x

    * upstream/pr/13334:
      Fix System Info database tables are missing on SQLSRV #9854

commit e7bccc17fffa302f7af0e2c7b2d0a3a4c04fe880
Author: Mike Schell <mike@webprogramming.ca>
Date:   Fri Mar 3 10:40:51 2017 -0500

    use system default per page on package management grid, up to a limit

commit 97c7d26faa0d419d81dd170fc651ef50f1c78c2a
Merge: ef5ba415b 58acb42f1
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 16:21:28 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13319' into 2.5.x

    * upstream/pr/13319:
      Fix bug - escape variable name in string
      Fix #10299 and let developers know that the config files will be overwritten. I've been bitten by this so keen to have a visual warning!

commit 970e2f20a1a14cb23239fcdaccaf031462567bb0
Author: Oetzie <info@oetzie.nl>
Date:   Fri Mar 3 16:19:09 2017 +0100

    Removed the extra scrollbar and white spaces of the MODX help window #13309 #modxbughunt

commit bec44f9f9631c2ca6672d854d938187e6ce16986
Author: Jesse Visser <jesse@sterc.nl>
Date:   Fri Mar 3 16:13:53 2017 +0100

    Fixed issue #12823 #modxbughunt

commit 2820be5e777cd74ea9c936a749dd54e5172456fb
Author: Fabian Christen <fabax1@gmx.de>
Date:   Fri Mar 3 16:10:48 2017 +0100

    very basic try to fix #12380 #modbughunt.

commit 6b2b25e3ecc15670cb38bf9e2cb136125e6c7c92
Author: Mike Schell <mike@webprogramming.ca>
Date:   Fri Mar 3 09:29:36 2017 -0500

    Remove override of results per page in package management grid (fixes #12518 #modxbughunt)

commit ef5ba415b497eb9c2382297736d7ed60803b02df
Merge: 54c2647c2 312087e88
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 15:08:58 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13327' into 2.5.x

    * upstream/pr/13327:
      Fixed issue with double dots in the file name #modxbughunt

commit 605dbef3fb5ec1cbf56be0946f7cffc0815b5eb6
Author: Peter Bowyer <peter@mapledesign.co.uk>
Date:   Fri Mar 3 13:56:18 2017 +0000

    Fix System Info database tables are missing on SQLSRV #9854

commit 54c2647c2ba8b46d1bc7cb72b55232fd75f23c11
Merge: eae9b6834 0b50ba3dd
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 14:53:56 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13322' into 2.5.x

    Fix duplicating resource children that are hidden from the tree

    * upstream/pr/13322:
      Fixed issue #13298 #modxbughunt

commit 58acb42f1d5544f549c948206828f34f05f7d717
Author: Peter Bowyer <peter@mapledesign.co.uk>
Date:   Fri Mar 3 13:51:38 2017 +0000

    Fix bug - escape variable name in string

commit eae9b683417cc5b17ac8fca8b070be7b52b9741d
Merge: 3c32594b9 38f2a0ec1
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 14:37:09 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13320' into 2.5.x

    Show proper error message when trying to rename a file/folder to a location that already exists

    * upstream/pr/13320:
      Fixed issue #13256 #modxbughunt

commit 3c32594b956275e5f5f540e068994f794fefa8c7
Merge: a205cdf3f 6a308b5dc
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 13:57:23 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13317' into 2.5.x

    * upstream/pr/13317:
      Fixed issue #13302 #modxbughunt

commit a205cdf3fdf2a6c4d69522c081f8d7ca341444e8
Merge: dbca864a4 0def17fdf
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 13:45:23 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13316' into 2.5.x

    * upstream/pr/13316:
      Fixed issue #12701 #modxbughunt

commit dbca864a4a7670c7dc63b837339bb1a8494c6393
Merge: c23a4bd4b b99443027
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Mar 3 13:35:26 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13315' into 2.5.x

    * upstream/pr/13315:
      Fixed issue #12822 #modxbughunt

commit 312087e888c2e6fa45e8642b4dd28c404a0e2982
Author: Ivan Klimchuk <klimchuk@1pt.com>
Date:   Fri Mar 3 15:19:40 2017 +0300

    Fixed issue with double dots in the file name #modxbughunt

commit 0b50ba3dd60c83b7d1bbde9ca2fda24be09178c2
Author: sander <sander@sterc.nl>
Date:   Fri Mar 3 11:54:14 2017 +0100

    Fixed issue #13298 #modxbughunt

commit 38f2a0ec13aa6cb2e1f76f024cf0a2d5721ae8cc
Author: Jesse Visser <jesse@sterc.nl>
Date:   Fri Mar 3 11:17:09 2017 +0100

    Fixed issue #13256 #modxbughunt

commit 94dc53877ce227a43872dd272e1e369ba71938b5
Author: Peter Bowyer <peter@mapledesign.co.uk>
Date:   Fri Mar 3 09:55:34 2017 +0000

    Fix #10299 and let developers know that the config files will be overwritten.
    I've been bitten by this so keen to have a visual warning!

commit 6a308b5dc2e8e1ea437f5fa84012e612e5b4d6da
Author: Johan van der Molen <johan@pixelive.nl>
Date:   Fri Mar 3 10:40:20 2017 +0100

    Fixed issue #13302 #modxbughunt

commit 0def17fdf91bff4d5c56c6c8e949c67a0adc422f
Author: Sytske Haagsma <sytske@sterc.nl>
Date:   Fri Mar 3 10:14:19 2017 +0100

    Fixed issue #12701 #modxbughunt

commit b9944302753790e07f604fff583d54b264c270b4
Author: Lars Bratke <bratke@buntebrause.de>
Date:   Fri Mar 3 10:02:05 2017 +0100

    Fixed issue #12822 #modxbughunt

commit c23a4bd4b6437e9382c49b033da13e6f4f0dd36d
Author: Hugo Peek <hugo@fractal-farming.com>
Date:   Fri Mar 3 17:00:56 2017 +0800

    Small correction to bug-3749

commit d0938ebbc0a4555bef258934c0dccc2257e1fe33
Author: Hugo Peek <hugo@fractal-farming.com>
Date:   Fri Mar 3 16:53:33 2017 +0800

    [FC] Improve description of how visibility toggle behaves in overlapping profiles

    This addresses the issue described in #3749, which I think is not a bug.

    #modxbughunt

commit f26d52ec7ccf4f95d7f6fe429e9a54ec8f70d6a6
Author: Andreas Wettainen <mrhaw@hotmail.com>
Date:   Thu Mar 2 10:35:59 2017 -0800

    Bug #13309 Help pages shows old documentation-link

    Change rtfm to docs

commit 73867d0ad03befdc72f0b60e915b50a097a6650a
Merge: 8cd4e07f9 853cae081
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Feb 24 22:12:43 2017 +0100

    Hide database username, password and database name from advanced setup

    Merge remote-tracking branch 'upstream/pr/13282' into 2.5.x

    * upstream/pr/13282:
      Hide database username, password and database name from setup (#13090)

commit 6991df55b5bb0375379bc55a3662759a98158b46
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Feb 21 19:30:11 2017 +0100

    Lower log level for 'resource with id not found in context' to info [#13278]

commit 8cd4e07f91d840a4716e5646f06c09baa0f4acf8
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Feb 21 15:03:16 2017 +0100

    Remove listener when a window form panel is destroyed

    (cherry picked from commit f150ec7c7f93ba702e4ab233044e48e7e4e8cf08)

commit 807c6309ebd22c4df63b7a3f792ea72c06f01a28
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Feb 21 14:59:01 2017 +0100

    Add changelog for #13296

commit 7cddf237014e86afc9bc53060f5bfba8ced8f1ba
Author: Romain Tripault <romain@melting-media.com>
Date:   Thu Feb 16 13:50:41 2017 +0100

    Make sure we have a field before trying to store the focus

    (cherry picked from commit 4a08e9b92a89cab5672ecd53ee996fa77d101399)

commit 8c632a3a87c812d6a71e5f69ecc740d604488f16
Merge: 075da1e86 7ad467f13
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Feb 21 14:45:55 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13301' into 2.5.x

    * upstream/pr/13301:
      Correct PhpDoc parameter

commit 7ad467f13517e4d7638aab16671a8f917ddcde8a
Author: Bob Ray <BobRay@users.noreply.github.com>
Date:   Fri Feb 17 13:31:30 2017 -0600

    Correct PhpDoc parameter

    This change prevents warnings in code inspections for legitimate calls like checkPermission('some_permission')

commit 9ae93f9c508510425430f725ae7ab6d62b793e8d
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Feb 17 10:24:02 2017 +0100

    Fix array_key_exists PHP warning
    Avoid the following errors in the MODX error log
    `PHP warning: array_key_exists() expects parameter 2 to be array, null given`
    when the aliasMap is not available.

commit ab3f1fe128781ed30aecbbe2a8404bebba5d9d45
Author: Lars Bratke <bratke@buntebrause.de>
Date:   Wed Feb 15 17:59:36 2017 +0100

    added missing modauth for modxcms/revolution#13292

commit b82c4a444842245ff973d0906fbe8665c48721d5
Author: Lars Bratke <bratke@buntebrause.de>
Date:   Wed Feb 15 16:49:58 2017 +0100

    fix for modxcms/revolution#13292

commit 9310f4103e707d3f6a23c1b1053a3f2b8590545c
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Feb 14 18:15:20 2017 +0100

    Encode HTML in the template description to prevent potential XSS [#13290]

commit 853cae081486ea757a10c2bffb96481dd0610257
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Feb 9 19:17:05 2017 +0100

    Hide database username, password and database name from setup (#13090)

commit 075da1e869e65315a77ec6614b65538378b501ba
Author: Jason Coward <jason@opengeek.com>
Date:   Wed Feb 8 07:09:53 2017 -0700

    Update version for 2.5.5-pl release

commit 785dccab9beb450111beac579c17b25e07bb70bc
Merge: 984b23359 2a7ff2066
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Sun Jan 29 22:10:14 2017 +0100

    Respect new_file_permissions setting when create/upload files in manager

    Merge remote-tracking branch 'upstream/pr/13246' into 2.5.x

    * upstream/pr/13246:
      Upload files with the respect to new_file_permissions setting
      Create new files with the respect to new_file_permissions setting
      Update lexicons from crowdin
      Added changelog for 2.6
      Removed the propertyset database query
      Update modx.class.php
      Update modx.class.php
      Update modx.class.php
      Update modx.class.php

    # Conflicts:
    #	_build/build.xml
    #	core/docs/changelog.txt
    #	core/docs/version.inc.php

commit 984b23359cd9982b3ac8cec9160d3406fe9687e6
Author: lexsmil <lexsmil@yandex.by>
Date:   Thu Jan 5 17:06:30 2017 +0300

    Escape regular expression special characters in last query string of a superboxselect

commit 19e29c15a742012b175eb30c86b3d28149c5904b
Merge: f2e17787d a2c0f793a
Author: Jan Peca <pecajan@gmail.com>
Date:   Sat Jan 28 22:36:42 2017 +0100

    Improve logging of bad links

    * origin/pr/13268:
      Improve logging of bad links

commit a2c0f793a366ed78bd04d758358a5e6d7cbe149e
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Jan 27 14:01:49 2017 -0700

    Improve logging of bad links

    Addresses issue described in #13265

commit f2e17787d51935ba7ea1f3d1596ade8dbe96e891
Merge: e14808b3e b48cd89b9
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 15:35:18 2017 +0100

    Fix a few Smarty variables not being defined

    * origin/pr/13117:
      Fixed a few Smarty variables not being defined

commit e14808b3e3deabf65abac87423a61e9be0e4b4eb
Merge: 533e5fc08 b586f86ad
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 15:31:45 2017 +0100

    Only load manager layout when the controller is not "browser"

    * origin/pr/13135:
      Only load manager layout when the controller is not "browser"

commit 533e5fc08d31dae8c86fd7f691a61923f56d0c71
Merge: ff452cadf 1985c7acc
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 15:14:10 2017 +0100

    Add autoHeight in the Create/UpdateSetting window

    * origin/pr/13220:
      Added autoHeight in the Create/UpdateSetting window - make additional x-types inside possible i.e. a grid that could grow with additional content.

commit ff452cadf920c2c27e71e3161c0f0c81733e8da1
Merge: c058af8f0 bfa0f1d8a
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 15:11:35 2017 +0100

    Address various potential security issues in setup

    * origin/pr/13261:
      Fix security issue with config_key in setup welcome controller
      Address various potential security issues in setup

commit c058af8f0b679b2f44be529eff36b53aad3ed54b
Merge: 06ff809da f5b9e0aa3
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 15:00:00 2017 +0100

    Update font-awesome (bower)

    * fa-update:
      Build template
      updating font-awesome (bower)

commit f5b9e0aa30289d0a8ef2fefe20302e2d0388f85a
Author: Jan Peca <pecajan@gmail.com>
Date:   Fri Jan 27 14:59:40 2017 +0100

    Build template

commit 0819205005619297102c7792c18d72aa988a3c68
Author: JP de Vries <mail@devries.jp>
Date:   Fri Jan 6 05:51:02 2017 -0800

    updating font-awesome (bower)

commit bfa0f1d8acebbc6a64a6a5fd17266fe614d0e8da
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Jan 26 19:42:37 2017 -0700

    Fix security issue with config_key in setup welcome controller

commit 06ff809da9d8932fb671484fff9511435925d0e3
Author: OptimusCrime <thomasgautv@hotmail.com>
Date:   Wed Jan 4 01:03:32 2017 +0100

    Put GitHub files in own directory

commit a89418d35e434abaf5c7284383461a434047911d
Merge: fd92c37c4 7b42ffb85
Author: Jan Peca <pecajan@gmail.com>
Date:   Wed Jan 25 15:39:01 2017 +0100

    Validate file extension when renaming/creating files in file browser

    * origin/pr/13240:
      Improved version Check if allowedFileTypes is set, otherwise use a combined array of upload_files, upload_images, upload_media and upload_flash settings.
      Validate file extension when renaming/creating files in file browser

commit fd92c37c4a3aec5dba0f9556d1e3fed5dd51a705
Merge: e86159729 ff55a7c19
Author: Jan Peca <pecajan@gmail.com>
Date:   Wed Jan 25 15:26:45 2017 +0100

    Add examples to rewrite all domains of one installation with/without www

    * origin/pr/13249:
      Examples to rewrite all domains of one installation with/without www

commit e86159729030c2a99ec162b333c5037cedb56725
Merge: 907bdbebe b9b896bee
Author: Jan Peca <pecajan@gmail.com>
Date:   Wed Jan 25 15:20:46 2017 +0100

    Update MODX Transport Provider to use SSL URL

    * origin/pr/13260:
      Update MODX transport provider to SSL URL

commit 907bdbebefbc5313bcaa3b368d1dcdb165fc79bc
Merge: 117a3213f 8593af323
Author: Jan Peca <pecajan@gmail.com>
Date:   Wed Jan 25 15:17:24 2017 +0100

    Add site name to the login title

    * origin/pr/13254:
      Add site name to the login title #13252

commit bb2bd98d7ab92cb6d027f42b8e24f24897797d2a
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Jan 23 14:08:43 2017 -0700

    Address various potential security issues in setup

commit b9b896bee1091929873165bca5c33999343dc077
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Jan 23 11:54:36 2017 -0700

    Update MODX transport provider to SSL URL

commit 8593af32334d35a4adcf70783b059a9316025120
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Fri Jan 13 16:13:25 2017 +0100

    Add site name to the login title #13252

commit ff55a7c19265f7c69997de5f32718e6f9f30a55b
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Wed Jan 11 12:50:01 2017 +0100

    Examples to rewrite all domains of one installation with/without www

commit 2a7ff20667181eba8205eae4c2ac7f8a81417397
Author: xf0 <kibbie@mail.ru>
Date:   Tue Jan 10 19:01:18 2017 -0500

    Upload files with the respect to new_file_permissions setting

commit d190d4e1b5ee47c17b1a6cdd96246950d60e9b8a
Author: xf0 <kibbie@mail.ru>
Date:   Tue Jan 10 18:57:18 2017 -0500

    Create new files with the respect to new_file_permissions setting

commit 7b42ffb851897faf67bd1f6b9a0885bdfdc596b3
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Jan 9 09:26:15 2017 +0100

    Improved version
    Check if allowedFileTypes is set, otherwise use a combined array of upload_files, upload_images, upload_media and upload_flash settings.

commit 67945bb2747856a403230205494054345ec68c62
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Jan 6 01:27:15 2017 +0100

    Validate file extension when renaming/creating files in file browser

commit 117a3213fa1c35746496b4c4072e397beb4ba367
Author: Bruno17 <b.perner@gmx.de>
Date:   Thu Jan 5 22:27:07 2017 +0100

    Fix File Unzip feature #13223

commit 2b9b5c80ccf957a16d69eb3ba545a7f9febe4611
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Jan 6 00:08:55 2017 +0100

    MODX Revolution 2.5.5-dev

commit 249550b4568e690e279d9fc453fef1ce7a5a36cb
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Jan 6 00:06:33 2017 +0100

    MODX Revolution 2.5.5-dev

commit d020d1bd15ed7643102efaa54fe6de19dc23e878
Merge: 43cb76bdf 2dfb80e8e
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Fri Jan 6 00:01:50 2017 +0100

    Merge branch '2.5.x' of github.com:Jako/revolution into 2.5.x

commit 43cb76bdf8028db2c29ba6b81b47689fcca69d5a
Author: twet2f999 <sart@portal-nk.ru>
Date:   Mon Nov 7 12:30:03 2016 +0800

    Fix truncating filename at space by downloading via filemanager
    Update modfilehandler.class.php

commit c788487ec3dd62508ea8e0bfcc8c0cb77aa81383
Merge: 8e4316dba c53bcfe70
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:40:50 2017 -0700

    Merge branch '2.5.x' into 2.x

    * 2.5.x:
      MODX Revolution 2.5.4-pl
      xPDO 2.5.3-pl
      Make sure xPDOQuery base class is always loaded

commit c53bcfe70f6c37c47275ac2b02c6e8cfa344038e
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:39:00 2017 -0700

    MODX Revolution 2.5.4-pl

commit 4193e0d1adfba9e1dd3ac436f019391366e5d96f
Merge: a293e6c22 121e3c256
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:38:00 2017 -0700

    Update xPDO to 2.5.3 release to avoid xPDOQuery class not found error

    Merge remote-tracking branch 'xpdo/master' into 2.5.x

    * xpdo/master:
      xPDO 2.5.3-pl
      Make sure xPDOQuery base class is always loaded

commit 121e3c256411a75bce3adbca6c46d43405e6b0da
Merge: 0677f8178 6f8b3732f
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:35:50 2017 -0700

    Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      xPDO 2.5.3-pl

commit 6f8b3732f77838e73a3fab61436514bb06ebf087
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:34:30 2017 -0700

    xPDO 2.5.3-pl

commit 0677f8178ee9c4c2518ac2ffc68dd907188bf570
Merge: 0d4dd5778 bee58fedb
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:31:32 2017 -0700

    Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Make sure xPDOQuery base class is always loaded

commit bee58fedb04fb201429335f1fa6fe4e31238b996
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 12:30:35 2017 -0700

    Make sure xPDOQuery base class is always loaded

commit 8e4316dbac18e7bcbd90afd216bc8c95f4cd29bb
Merge: d79e5db20 a293e6c22
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 09:37:52 2017 -0700

    Merge branch '2.5.x' into 2.x

commit a293e6c220cba2d83cab9dc7327288bc93e25a69
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Jan 3 09:34:38 2017 -0700

    MODX Revolution 2.5.3-pl

commit e4bfa38f9f1a4d6c10707e964cd81f478444038e
Author: Jan Peca <pecajan@gmail.com>
Date:   Tue Jan 3 17:22:04 2017 +0100

    Update lexicons from crowdin

    Crowdin project: http://translate.modx.com
    Thanks to all translators and proofreaders for contribution!

commit 2dfb80e8e77784614c32caf0fefb808347a24468
Author: twet2f999 <sart@portal-nk.ru>
Date:   Mon Nov 7 12:30:03 2016 +0800

    Fix truncating filename at space by downloading via filemanager
    Update modfilehandler.class.php

commit d79e5db20972d19e4076fa52f96385e82eb974dd
Merge: 49a803d28 66d7be01f
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Jan 2 12:12:13 2017 +0100

    Merge branch '2.5.x' into 2.x

commit 66d7be01f63d48f4ffaf0fd66d561219cc7a9923
Merge: 45641b503 9b15d99d2
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Jan 2 12:10:08 2017 +0100

    Fix listing packages on systems with non-utf8 locales
    Merge branch 'non-utf8' into 2.5.x

    * non-utf8:
      Fix listing packages on systems with non-utf8 locales

commit 9b15d99d27cb00ad64e149b31b53af914872033d
Author: fn3k4 <gluk.johnson@gmail.com>
Date:   Tue Nov 22 01:03:15 2016 +0300

    Fix listing packages on systems with non-utf8 locales

    This bug already has an issue discussion:
    https://github.com/modxcms/revolution/issues/13079

    Conditions:
    - OS locale non-english with 8-bit codepage (ru_RU.cp1251 for example)
    - Modx locale ru_RU
    - modx_charset UTF-8
    - PHP 5 >= 5.2.0
    - PHP runs as CGI

    How to replay a bug:
    - Install modx
    - Enter "Extras -> Install" page
    - Select "modx.com" provider
    - Select "Extras" on the left pane
    - Select subitem of the "Extras" ("Blogging" for example)
    - You should see infinite "Loading..." message and no listing of extras.

    Reason why it is happened.
    Thereis a code in the file
    core\model\modx\processors\workspace\packages\rest\getlist.class.php
    =======================
    public function initialize() {
    ...
      $this->setDefaultProperties(array(
    ...
        'dateFormat' => '%b %d, %Y',
    ...
    =======================

    where "%b" date format specifier produces *localized* short month name with OS locale settings.
    Then this string falls into following code in the file
    core\xpdo\xpdo.class.php
    =======================
        /**
         * Converts a PHP array into a JSON encoded string.
         *
         * @param array $array The PHP array to convert.
         * @return string The JSON representation of the source array.
         */
        public function toJSON($array) {
            $encoded= '';
            if (is_array ($array)) {
                if (!function_exists('json_encode')) {
                    if (@ include_once (XPDO_CORE_PATH . 'json/JSON.php')) {
                        $json = new Services_JSON();
                        $encoded= $json->encode($array);
                    }
                } else {
                    $encoded= json_encode($array); // *** about line 2412
                }
            }
            return $encoded;
        }
    =======================

    Then built-in function "json_encode" cannot encode 8-bit name of the month in cp1251 and returns empty result in variable "$encoded".

    Possible solutions:

    1. made 'dateFormat' field numeric only:
    =======================
    'dateFormat' => '%Y-%m-%d',
    =======================
    this will work everywhere.

    2. add an option to call built-in "json_encode" to ignore errors:
    =======================
    $encoded= json_encode($array, JSON_PARTIAL_OUTPUT_ON_ERROR);
    =======================
    then you cannot see the released date, but you can see the extras list

    3. Do not use built-in "json_encode"

commit 49a803d2831450915c37886ab99d4c55ee1a9dd6
Merge: c98a8574f 45641b503
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Jan 2 11:29:07 2017 +0100

    Merge branch '2.5.x' into 2.x

commit 45641b503a0d0a07ee938fa3e5be1ee057b3cca0
Merge: 19433268e 64ce9366d
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Jan 2 11:00:44 2017 +0100

    Merge remote-tracking branch 'upstream/pr/13229' into 2.5.x

    * upstream/pr/13229:
      Update PHPMailer to 5.2.21 for CVE-2016-10045 patch

commit 64ce9366ddcc6de0af36f9e57cc084d67557dafa
Author: Jason Coward <jason@opengeek.com>
Date:   Sat Dec 31 17:53:43 2016 -0700

    Update PHPMailer to 5.2.21 for CVE-2016-10045 patch

commit 19433268ee736486d551a0f7a0e00464827edaef
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Dec 27 14:10:53 2016 -0700

    Access chunk array instead of chunk object instance

commit aa1647c851fd91119b0e498e906f2b3004b8c335
Merge: b0ad95497 6dec12a0e
Author: Jason Coward <jason@opengeek.com>
Date:   Tue Dec 27 14:01:32 2016 -0700

    Update PhpMailer to 5.2.19 to protect against RCE vulnerability

    Merge remote-tracking branch 'origin/pr/13227' into 2.5.x

    * origin/pr/13227:
      Revert file permission changes
      [Security] Update PhpMailer to 5.2.19 to protect against RCE vulnerability

commit 6dec12a0e0dc4cb5dd7510b583bfdd14f3f7ce05
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Dec 27 15:28:24 2016 +0100

    Revert file permission changes

commit e365215ff0a8c79c97991920e45b469a1bee6bea
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Tue Dec 27 15:05:24 2016 +0100

    [Security] Update PhpMailer to 5.2.19 to protect against RCE vulnerability

    Related advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

commit c98a8574fdc28e189fdda8ea3331c34a45ff0899
Author: Jan Peca <pecajan@gmail.com>
Date:   Mon Dec 19 22:07:26 2016 +0100

    Update lexicons from crowdin

    Crowdin project: http://translate.modx.com
    Thanks to all translators and proofreaders for contribution!

commit 0b118414d8874f5a8fb484257985f09a8aaeeed4
Merge: b9ce93658 b0ad95497
Author: Jan Peca <pecajan@gmail.com>
Date:   Mon Dec 19 22:06:42 2016 +0100

    Merge remote-tracking branch 'origin/2.5.x' into lexicon-sync

commit b0ad9549766b3963e3e3cd6ddb4bdb7463a33355
Author: Jan Peca <pecajan@gmail.com>
Date:   Mon Dec 19 22:05:23 2016 +0100

    Update lexicons from crowdin

    Crowdin project: http://translate.modx.com
    Thanks to all translators and proofreaders for contribution!

commit 1985c7acc637d30f439323bef6a261eaadfd52e2
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Sat Dec 17 12:51:41 2016 +0100

    Added autoHeight in the Create/UpdateSetting window
    - make additional x-types inside possible i.e. a grid that could grow with additional content.

commit b9ce93658cbfd8846f89714e0658eeb0129f559c
Merge: 43c4615a0 ee9b5754c
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 13:17:11 2016 -0700

    Merge branch '2.5.x' into 2.x

commit ee9b5754cef1a1eb7ada50a81800a80c92ca3c64
Merge: 3683fc842 0d08b30c0
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 12:12:53 2016 -0700

    Add various missing permission checks to processors

    Merge remote-tracking branch 'origin/pr/13174' into 2.5.x

    * origin/pr/13174:
      Make sure a bunch of processors have a permission check

commit 3683fc8420ce3d82cc36bd69f24e5cd6493a0156
Merge: b4456746a 0d4dd5778
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 12:09:00 2016 -0700

    Update xPDO to 2.5.2

    Merge remote-tracking branch 'xpdo/master' into 2.5.x

    * xpdo/master:
      Update version for 2.5.2 release
      Sanitize and prevent SQLi in getObject calls expecting PK values

commit 0d4dd577835afd28305ccd06f593c0f7871d6cdf
Merge: a40764330 69241ba74
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 12:06:50 2016 -0700

    Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Update version for 2.5.2 release
      Sanitize and prevent SQLi in getObject calls expecting PK values

commit 69241ba74114b78533bc7e8e235d260fb092ede0
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 12:04:17 2016 -0700

    Update version for 2.5.2 release

commit 305f2ba75c09a396e33a3b8508f0110524e28301
Author: Jason Coward <jason@opengeek.com>
Date:   Fri Dec 16 11:59:56 2016 -0700

    Sanitize and prevent SQLi in getObject calls expecting PK values

    Also make isValidClause method static in xPDOQuery

commit b4456746a6eb6e9079307b5d4e7740dbcae32df7
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:49:22 2016 -0700

    Update version for 2.5.3-dev

commit 0044b0be8f58b46943e6f22851704f87a1324ffb
Merge: 3ea8788cd b098aa895
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:43:18 2016 -0700

    Improve phpThumb InitializeTempDirSetting

    Merge remote-tracking branch 'origin/pr/13151' into 2.5.x

    * origin/pr/13151:
      typo
      Improved phpThumb InitializeTempDirSetting

commit 3ea8788cd53fffb63e9202558a6aeff990fa9246
Merge: 2940163ad 7f7685b04
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:35:55 2016 -0700

    Validate Resources when dropped onto weblinks and symlinks

    Merge remote-tracking branch 'origin/pr/13213' into 2.5.x

    * origin/pr/13213:
      Update modx.treedrop.js

commit 2940163ad0d103c4fbfd65e43a68b6b5cbd7a920
Merge: 52d984bb0 d2dea78f2
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:27:07 2016 -0700

    Merge pull request #13161 from pixelchutes/fix-ellipsis

    Remove extra ellipsis from system setting search / filter input

commit 52d984bb0b2ea347e29dc37f736f8113334666f0
Merge: e6bb1cb71 d9d7819b8
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:25:40 2016 -0700

    Fix Resources not loading in the tree in sqlsrv

    Merge remote-tracking branch 'origin/pr/13162' into 2.5.x

    * origin/pr/13162:
      Fix modResourceGetNodesProcessor invalid column name 'true' error (SQL Server)

commit e6bb1cb71e739ab98e63a18461f48bd71d12177a
Merge: 2351cc1b5 8d3ead1b5
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:21:38 2016 -0700

    Merge pull request #13198 from Jako/console-padding

    Improved fix of #13038

commit 2351cc1b5cef115d630c1205dabff186094a780e
Merge: e04c04891 e3fecc043
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:15:11 2016 -0700

    More specific removal of critical settings in MODX.config

    Merge remote-tracking branch 'origin/pr/13180' into 2.5.x

    * origin/pr/13180:
      Remove path related settings from MODx.config, reverting part of #13170

commit e04c0489106e3d911d83d4e7a78300c2170aa4d3
Merge: 8522157b7 a40764330
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 20:01:03 2016 -0700

    Update xPDO for critical BC break corrections

    Merge remote-tracking branch 'xpdo/master' into 2.5.x

    * xpdo/master:
      Allow empty sort direction
      Revert getCriteria change to force scalar params to be PK values
      Fixing a PHP 7 issue
      Make isValidClause public

commit a40764330e1c03eca8e063765b7f4e5f18925df3
Merge: 6cdd3ec63 028cb50a0
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 19:57:55 2016 -0700

    Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Allow empty sort direction
      Revert getCriteria change to force scalar params to be PK values
      Fixing a PHP 7 issue
      Make isValidClause public

commit 028cb50a059b4a25bbddea6c1d5dc6ea70a85f06
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 16:51:14 2016 -0700

    Allow empty sort direction

    Resolves #103

commit 9c9910a041d7987fb6e3aae2b60616b27c365dc4
Author: Jason Coward <jason@opengeek.com>
Date:   Thu Dec 15 16:37:09 2016 -0700

    Revert getCriteria change to force scalar params to be PK values

    This reverts commit 84decc3d54104516007d0e216e6b325481def3ed and solves a significant BC break that loads objects by invalid primary keys.

commit 7f7685b0435dc143e2751d284bf8deb7be78d38e
Author: Mat Dave Jones <mat@matdave.com>
Date:   Thu Dec 8 12:07:30 2016 -0600

    Update modx.treedrop.js

    Adding a check to symlinks and weblinks in case the item being dragged is not a resource.

commit d480b81b883ea468b26eb3937df3844bcf0cbd9e
Merge: 884a74232 3dd7c572c
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Dec 5 14:54:30 2016 -0700

    Make xPDOQuery::isValidClause a public method

    Merge remote-tracking branch 'origin/pr/100' into 2.x

    * origin/pr/100:
      Make isValidClause public

commit 884a74232c52a7cadfbea8b37659153f079a1a84
Merge: a2e34bce7 7b8bfb7dc
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Dec 5 12:25:31 2016 -0700

    Change constructor in PclZip to be PHP 7 compatible

    Merge remote-tracking branch 'origin/pr/101' into 2.x

    * origin/pr/101:
      Fixing a PHP 7 issue

commit 7b8bfb7dc7f36c8cf314191b6eba0e2ff3b7f613
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Mon Nov 28 15:45:25 2016 +0100

    Fixing a PHP 7 issue

    Changing the constructor would be no problem (or does xPDO has to be PHP4 compatible)

    See https://github.com/modxcms/revolution/issues/13188

commit 8d3ead1b5a09bb8916544191758b70ceee896a55
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Sun Nov 27 21:30:35 2016 +0100

    Improved fix of #13038
    - Console needs some padding top (see modxcms#13038 (comment))

commit 8522157b72d35abe5040f42fe4597098cd7f0927
Author: JP DeVries <mail@devries.jp>
Date:   Tue Nov 22 13:21:30 2016 +0100

    Removing placeholders from login screen

    They are the same as the label and redundant both visually and audibly

commit d73df6e76996177e74dd3bbda54506657638ea5c
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Nov 24 03:52:24 2016 +0100

    Update Font Awesome to 4.7.0

commit 5896a79df83ea020d8d5933e4ab6edeaabbccbcc
Merge: 08b679b80 f50a4ed6b
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Nov 24 03:48:46 2016 +0100

    Merge remote-tracking branch 'upstream/pr/13189' into 2.5.x

    * upstream/pr/13189:
      Fixing #12596 Media Sources getting wrong name

commit 08b679b803aa1f10002274ba67130c74851d9cc9
Merge: a41de649e f42a2f4b0
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Thu Nov 24 03:36:24 2016 +0100

    Merge remote-tracking branch 'upstream/pr/13190' into 2.5.x

    * upstream/pr/13190:
      Broken "Uploaded Versions"

commit f42a2f4b0411d2e8f0b5dc09515169b082ce97b6
Author: Serge <kudashevs@gmail.com>
Date:   Wed Nov 23 23:20:25 2016 +0200

    Broken "Uploaded Versions"

    After upgrading to 2.5.2 found what if i use View Details in Package Manager i get error in error.log: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ASC, modTransportPackage.release_index DESC LIMIT 20' at line 1" and Uploaded Versions tab is empty. While investigating this problem found, what new sortby function from xpdoquery.class.php (commit 067cb74d41af6419120f87d98f576a97be820d95) now require second argument. This change back Package Manager to work normaly.

commit f50a4ed6b9ff048789e83b83d930cbc2c2756147
Author: Thomas Jakobi <thomas.jakobi@partout.info>
Date:   Wed Nov 23 11:01:08 2016 +0100

    Fixing #12596 Media Sources getting wrong name

commit e3fecc043583b1b80798d13340ac4f2ed1429ac1
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Wed Nov 16 17:40:23 2016 +0100

    Remove path related settings from MODx.config, reverting part of #13170

commit 3dd7c572c2942929d47c0bb44439d367b86802c7
Author: Vasily Naumkin <bezumkin@yandex.ru>
Date:   Wed Nov 16 20:58:42 2016 +0700

    Make isValidClause public

    I think we should make this method public, because property "query" is public already and we can add anything to it manually.

    And it will be better to check clause by built-in xPDO method before this.

commit 43c4615a065fc095b15056d27b89a19deba1d056
Merge: e4853ef34 a41de649e
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 13:40:09 2016 -0700

    Merge branch '2.5.x' into 2.x

    * 2.5.x:
      MODX Revolution 2.5.2-pl
      [SECURITY] Hide critical settings in MODx.config [#13170]
      Prevent local file inclusion/traversal/manipulation
      Prevent path traversal in $modx->runProcessor
      Prevent unauthenticated access to processors
      Force all scalar expressions to be a primary key
      Fix path traversal regex to allow modx.config.js.php to still work https://github.com/modxcms/revolution/pull/13173#issuecomment-260280630
      Update changelog and build properties for 2.5.1 release
      Update changelog
      Remove statement causing loop in unit tests
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
      Fix isValidClause check for certain injections
      Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
      Prevent path traversal in modConnectorResponse action param
      Add catch-all SQL Injection Detection to xPDOQuery->prepare
      SQL injections in ORDER BY and LIMIT clauses
      Possible fix for blind SQL injection

commit a41de649e9d4884a9ac777d29474234eebd56586
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 13:33:31 2016 -0700

    MODX Revolution 2.5.2-pl

commit dd379eeeff99f583702d4f4f9130a122cfe27870
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 13:17:58 2016 -0700

    [SECURITY] Hide critical settings in MODx.config [#13170]

    - Update config.js.php

commit 1cef48aab066f0e436ef64a20470d040fdaa8957
Merge: 3a9dfc8c9 d3df88970
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 13:03:27 2016 -0700

    [SECURITY] Prevent local file inclusion/traversal/manipulation [#13177]

    Merge remote-tracking branch 'origin/pr/13177' into 2.5.x

    * origin/pr/13177:
      Prevent local file inclusion/traversal/manipulation

commit d3df889703f712e71eb0cdca4f9b316731f51143
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Mon Nov 14 20:54:33 2016 +0100

    Prevent local file inclusion/traversal/manipulation

    Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities.

    In this pull request those are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.

    The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with `../`, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.

    The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.

commit 3a9dfc8c9e4c35ad0690677508a28025a5080f3d
Merge: 36bcd7998 6040f6423
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 12:09:33 2016 -0700

    [SECURITY] Prevent path traversal in $modx->runProcessor [#13176]

    Merge remote-tracking branch 'origin/pr/13176' into 2.5.x

    * origin/pr/13176:
      Prevent path traversal in $modx->runProcessor

commit 36bcd7998e206458b246036519697d62f0b5e9d3
Merge: 1c0d1d81d 19836b79e
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 12:07:42 2016 -0700

    [SECURITY] Prevent unauthenticated access to processors [#13175]

    Merge remote-tracking branch 'origin/pr/13175' into 2.5.x

    * origin/pr/13175:
      Prevent unauthenticated access to processors

commit 1c0d1d81de9bea4a96b2475004aa4f9cb7db4452
Merge: befef7eba 6cdd3ec63
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 12:02:48 2016 -0700

    Merge remote-tracking branch 'xpdo/master' into 2.5.x

    * xpdo/master:
      Force all scalar expressions to be a primary key
      Update changelog

commit 6cdd3ec638e1824841e2427182ba7e7cde5382e7
Merge: 5cbc10b96 a2e34bce7
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 12:00:54 2016 -0700

    Merge remote-tracking branch 'xpdo/2.x'

    * xpdo/2.x:
      Force all scalar expressions to be a primary key
      Update changelog

commit 6040f64239f19bc8cc8b944663d51b09bb0f9a06
Author: Mark Hamstra <hello@markhamstra.com>
Date:   Mon Nov 14 19:57:55 2016 +0100

    Prevent path traversal in $modx->runProcessor

    Similar to the patch in #13173, however specifically for processors executed via $modx->runProcessor. It's a lot harder to execute a successful path traversal through $modx->runProcessor as it's typically only used server-side without accepting user input. But, here you go.

commit a2e34bce7f6a59cebcb44fdd977d87b01a48739f
Merge: 11623f618 6acbfdcee
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 11:57:51 2016 -0700

    Force scalar parameters to be PK values in getCriteria

    Merge branch '2.4.x' into 2.x

    * 2.4.x:
      Force all scalar expressions to be a primary key
      Update changelog

commit 6acbfdceee4f0648b5207b4fec04cdfa31580a5e
Merge: ce4936451 84decc3d5
Author: Jason Coward <jason@opengeek.com>
Date:   Mon Nov 14 11:56:43 2016 -0700

    Force scalar parameters to be PK values in getCriteria

    Merge remote-tracking branch 'origin/pr/99' into 2.4.x

    * origin/pr/99:
      Force all scalar expressions to be a primary key

commit 19836b79e8555fc6…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.